SHA-1 certificates are no longer supported in macOS Catalina and iOS 13

Security LockIf you still have a Windows XP, you may see that some webpages won’t load, some webpages won’t allow you to log in, etc. Also, a lot of software do not support Windows XP anymore, including web browsers and also you can’t use the newest security certificates and features. Apple, known for fast dropping old technology, dropped support for TLS certificates signed with the SHA-1 hash algorithm in upcoming macOS Catalina and iOS 13. It’s interesting that in current OS, macOS Mojave, SHA-1 hash algorithm is still supported, because companies like Google, Microsoft and Mozilla already deprecated these certificates in 2017.

Apple says all TLS server certificates must comply with these new security requirements in macOS Catalina and iOS 13:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted

According to Apple, any connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in macOS Catalina and iOS 13.

Someone may say that it’s “planned obsolescence”, but that’s not truth. Software developers can’t support old and insecure standards forever. It’s time to move and these steps of deprecating only serve to users to improve security of computer systems.

Liked it? Take a second to support Lukáš Raynor Majer on Patreon!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.